Vault provides integration with Azure Active Directory (AAD) to enable your users to have a Single Sign-On experience when they access your organisation’s Web-based Vault application.
As well as giving users a single sign-on capability, AAD also gives you the security control and management of the access credentials of your users without having to share these with a third party.
In its simplest form, AAD operates in the following manner
- Your user attempts to log into Vault
- Vault refers the request to your Single Sign-On server
- Your Single Sign-On servers verify the user against your Active Directory credentials
- The user's details are passed back to Vault for Vault authorisation
- If the user exists in Vault, the user is presented with the Vault home page
Vault are responsible for;
- Providing the SAML interface in Vault
- Configuring the Vault interface with details supplied by you
You are responsible for;
- Provision and configuration of all Azure AD components
- Provision of appropriately skilled resources for the above
- Maintaining a valid token signing certificate and notifying Vault of any changes to the certificate used prior to rollover
Vault will assist with the integration of your Azure AD services with Vault, however, the skills and resources to configure AAD / SAML are your responsibility.
- Open Azure Portal
- Select Azure Active Directory from the left-hand side
- Add new Enterprise application
- Select Non-gallery application
- Name the Application
- Select Single sign-on from left side menu
- Select SAML as the authentication method
- Download and send the Federation metadata XML to email@example.com
- Vault will install the federation metadata against your Vault domain and once this is complete you can then update the Vault Metadata. Your URL will be in the following format:
Download the metadata and save this to a file.
- Click on the edit icon on right-hand side of the Basic SAML Configuration box
- Press the upload metadata file and select the metadata from Vault that was previously downloaded. This will populate the Identifier and the Reply URL with the correct values. Save this information
- Press the edit icon on the User Attributes
- Decide on what the userid to be displayed within Vault. The default value Vault will use everything up to the @ sign in the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Claim which is the person’s email address.
If you would like to use something different create a property called “principal” and select the custom claim value to be used. E.g. SamAccountName
- Test the claim in a private or incognito window enter the following URL replacing [companyid-0x] and [COMPANYID] with the correct values
After entering your network username and password it will redirect to an informational page detailing the information sent to Vault. Check that the claim values are successfully sent to Vault
If you get any other page then recheck the settings and contact Vault IQ support with the error message.